fix(api): correct admin data scoping in generic data handlers

fulleni · fulleni · commit b2b43634b193 · 2025-07-12T08:22:12.000+01:00
Fixes a bug where administrators were incorrectly scoped to their own
userId when accessing user-owned resources, preventing them from
managing other users' data.

The logic in the generic data handlers (`/data` and `/data/[id]`) has
been updated to only apply the `userId` filter to repository calls if
the model is user-owned AND the authenticated user is not an admin.
This allows administrators to perform global operations as intended.
diff --git a/routes/api/v1/data/[id]/index.dart b/routes/api/v1/data/[id]/index.dart
@@ -87,7 +87,8 @@ Future<Response> _handleGet(
   // for filtering. Otherwise, pass null.
   // Note: This is for data *scoping* by the repository, not the permission check.
   // We infer user-owned based on the presence of getOwnerId function.
-  if (modelConfig.getOwnerId != null) {
+  if (modelConfig.getOwnerId != null &&
+      !permissionService.isAdmin(authenticatedUser)) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
     userIdForRepoCall = null;
@@ -276,7 +277,8 @@ Future<Response> _handlePut(
   String? userIdForRepoCall;
   // If the model is user-owned, pass the authenticated user's ID to the repository
   // for ownership enforcement. Otherwise, pass null.
-  if (modelConfig.getOwnerId != null) {
+  if (modelConfig.getOwnerId != null &&
+      !permissionService.isAdmin(authenticatedUser)) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
     userIdForRepoCall = null;
@@ -445,7 +447,8 @@ Future<Response> _handleDelete(
   String? userIdForRepoCall;
   // If the model is user-owned, pass the authenticated user's ID to the repository
   // for ownership enforcement. Otherwise, pass null.
-  if (modelConfig.getOwnerId != null) {
+  if (modelConfig.getOwnerId != null &&
+      !permissionService.isAdmin(authenticatedUser)) {
     userIdForRepoCall = authenticatedUser.id;
   } else {
     userIdForRepoCall = null;
diff --git a/routes/api/v1/data/index.dart b/routes/api/v1/data/index.dart
@@ -4,6 +4,7 @@ import 'dart:io';
 import 'package:dart_frog/dart_frog.dart';
 import 'package:ht_api/src/registry/model_registry.dart';
 import 'package:ht_data_repository/ht_data_repository.dart';
+import 'package:ht_api/src/rbac/permission_service.dart';
 import 'package:ht_shared/ht_shared.dart';
 
 import '../../../_middleware.dart'; // For RequestId
@@ -77,8 +78,10 @@ Future<Response> _handleGet(RequestContext context) async {
   }
 
   // --- Repository Call ---
-  final userIdForRepoCall =
-      (modelConfig.getOwnerId != null) ? authenticatedUser.id : null;
+  final userIdForRepoCall = (modelConfig.getOwnerId != null &&
+          !context.read<PermissionService>().isAdmin(authenticatedUser))
+      ? authenticatedUser.id
+      : null;
 
   dynamic responseData;
 
@@ -175,8 +178,10 @@ Future<Response> _handlePost(RequestContext context) async {
   }
 
   // --- Repository Call ---
-  final userIdForRepoCall =
-      (modelConfig.getOwnerId != null) ? authenticatedUser.id : null;
+  final userIdForRepoCall = (modelConfig.getOwnerId != null &&
+          !context.read<PermissionService>().isAdmin(authenticatedUser))
+      ? authenticatedUser.id
+      : null;
 
   dynamic createdItem;
   switch (modelName) {
